Yesterday, the French maritime transport and logistics company CMA CGM released a statement about an attack impacting its servers. “As soon as the security breach was detected, external access to applications was interrupted to prevent the malware from spreading.” The company initially stated that booking was still available, but a later update confirmed that external application access and booking were unavailable. CMA CGM is currently working with external parties to investigate. Although not yet confirmed, a report by Lloyd’s List names Ragnar Locker as the culprit and shows a partial screenshot from a ransom note.
Exposed Remote Desktop (RDP) servers with weak credentials and phishing attempts are still two of the most common ways ransomware finds its way into a network. RDP servers should be placed behind a VPN and RDP Gateway server if external access is needed, rather than exposing them directly to the Internet. Strong credentials and multi-factor authentication should be enforced as well. All public-facing servers should be patched quickly after vulnerabilities become publicly known, especially if exploit code is available. Organizations should also invest in regular security awareness training to teach employees what to look out for in a suspicious email. To protect the organization from data loss, follow the 3-2-1 backup rule. Keep at least three copies of your data. Store the copies on at least two different forms of storage media. Keep one copy offsite. Should ransomware ever encrypt one form of backup connected to the victim machine, recovery should be possible with another safe copy.